From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 900DBA0548;
	Wed, 16 Jun 2021 18:07:36 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 529B54067A;
	Wed, 16 Jun 2021 18:07:36 +0200 (CEST)
Received: from mail-vs1-f98.google.com (mail-vs1-f98.google.com
 [209.85.217.98]) by mails.dpdk.org (Postfix) with ESMTP id 4BEFD40140
 for <dev@dpdk.org>; Wed, 16 Jun 2021 18:07:35 +0200 (CEST)
Received: by mail-vs1-f98.google.com with SMTP id q2so1330393vsr.1
 for <dev@dpdk.org>; Wed, 16 Jun 2021 09:07:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=ITDpmsqEalvuSFulTj0s2wGYdoOKCyH/VuH48FpKFec=;
 b=IQtAX42YPx7AxGOYo495KLfd06Gcj4pNGyAsLOsJnuHpjTJxPdA3rzvjZiaZQAVa2M
 ECuZRFrZycVqxr4ry1a6kLXbvQPGARbC/ak+1Pm9oR6TSlBYZ4FYQD0n1a9m93QChImK
 z87gHBBdLl1HryNVmDxIUuUh9oxIHwEMWbUTY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=ITDpmsqEalvuSFulTj0s2wGYdoOKCyH/VuH48FpKFec=;
 b=fWZmD2pJ80e553k8Nu/s06Ui6YqXehR5B2C7ahMeEOgQOA8zcDh7VxYDG8iy0OEXK6
 7VQQbIaM7hfSUDRBCFvoyGqNLmFs42WWI4MJfqxADS2PMJyZV1D1cgnP/fK3OeqOvt8z
 Q9SrQkHx1uAYXSM+R8LHo/rBrbJjetObK1JzjO+FF8l9ZWWBuq+EP2k2yDjDgFG+BovC
 Lk8PiE6CxS0NlQkVD7OYtG6eI/JetjQkdliEI2KoEIjUG9C+mfuy2zHX2nFflFKu/Dtk
 2cebhm8W+UgZZBXIgBlVgLcZijjPRTq47X1eAPn3nqRhD0pN0jWqDfdPjbj91K+AlCM+
 UypQ==
X-Gm-Message-State: AOAM533GsWhAvxBxsJXyNoZz70f08lC1AxrPynfYxElTyO0HaIC3C6VF
 15C+Gjkxwu4gCKIKwBuNbMWTSHyV7BaBhNp5EEYE6bT1bgV8KrzTG7n79A2mxOhOi0GX85IN2c2
 xA35FSk/r5R76pq8/hugIDqwxwOmiDPuRMt1IeV95CdQu3ep8t2yMCwvqUy1/HQ3gBEm7yf58hw
 ==
X-Google-Smtp-Source: ABdhPJw3sGWDuYQH1+pCblCThgrd4ljPJ1b34pNd7emH3G0tSx4LBIv5AfjWyBnoQpRmOLDQlsmIO6oItrzw
X-Received: by 2002:a67:fe0a:: with SMTP id l10mr809814vsr.33.1623859654502;
 Wed, 16 Jun 2021 09:07:34 -0700 (PDT)
Received: from postal.iol.unh.edu (postal.iol.unh.edu. [132.177.123.84])
 by smtp-relay.gmail.com with ESMTPS id 128sm1048663vkb.12.2021.06.16.09.07.34
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 16 Jun 2021 09:07:34 -0700 (PDT)
X-Relaying-Domain: iol.unh.edu
Received: from iol.unh.edu (unknown
 [IPv6:2606:4100:3880:1220:5e2f:685e:142b:54c3])
 by postal.iol.unh.edu (Postfix) with ESMTP id E4826605246B;
 Wed, 16 Jun 2021 12:07:33 -0400 (EDT)
From: ohilyard@iol.unh.edu
To: vladimir.medvedkin@intel.com
Cc: dev@dpdk.org, david.marchand@redhat.com,
 Owen Hilyard <ohilyard@iol.unh.edu>
Date: Wed, 16 Jun 2021 12:07:29 -0400
Message-Id: <20210616160730.348523-1-ohilyard@iol.unh.edu>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] [PATCH] lib/rte_rib6: fix stack buffer overflow
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: Owen Hilyard <ohilyard@iol.unh.edu>

ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir.
The fix for the stack buffer overflow was to make sure depth
was always < 128, since when depth = 128 it caused the index
into the ip address to be 16, which read off the end of the array.

While trying to solve the buffer overflow, I noticed that a few
changes could be made to remove the for loop entirely.

Signed-off-by: Owen Hilyard <ohilyard@iol.unh.edu>
---
 lib/rib/rte_rib6.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c
index f6c55ee45..2de50449d 100644
--- a/lib/rib/rte_rib6.c
+++ b/lib/rib/rte_rib6.c
@@ -79,14 +79,20 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE],
 static inline int
 get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth)
 {
-	int i = 0;
-	uint8_t p_depth, msk;
-
-	for (p_depth = depth; p_depth >= 8; p_depth -= 8)
-		i++;
-
-	msk = 1 << (7 - p_depth);
-	return (ip[i] & msk) != 0;
+	int index, msk;
+	/* depth & 127 clamps depth to values that will not
+	 * read off the end of ip.
+	 * depth is the number of bits deep into ip to traverse, and
+	 * is incremented in blocks of 8 (1 byte). This means the last
+	 * 3 bits are irrelevant to what the index of ip should be.
+	 */
+	index = (depth & 127) >> 3;
+	/*
+	 * msk is the bitmask used to extract the bit used to decide the
+	 * direction of the next step of the binary search.
+	 */
+	msk = 1 << (7 - (depth & 7));
+	return (ip[index] & msk) != 0;
 }
 
 static inline struct rte_rib6_node *
-- 
2.30.2